Attachment Protection policies protect your organization from targeted threats by capturing messages with potentially unsafe attachments. Each policy requires a configured Attachment Protection definition to set the conditions under which an attachment is considered safe or unsafe, and what actions should be taken if considered unsafe.

Best Practice Settings

We provide a list of Attachment Protection definition settings, based on commonly used configurations, that we consider best practice. They provide an optimal solution to protect you against potentially unsafe attachments.See the Attachment Protect Best Practice page for full details. You must log on to Mimecaster Central to access this page.

As one setting may not meet all your specific requirements, we recommend you review your requirements changing these options where necessary.

Configuring an Attachment Protection Definition

To configure an Attachment Protection definition:

Log on to the Administration Console.

Click on the Administration menu item. A menu drop down is displayed.

Click on the Gateway | Policies menu item.

Select the Definitions drop down. A list of the definition types is displayed.

Select Attachment Protection from the drop down menu. The list of definitions is displayed.

Either click the:

New Definition button to create a definition.

Definitionto be changed.

In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.

Complete the Inbound, Outbound andJournal Settings as required. If the setting applies, a 'Y' will show in the appropriate column below:

Field / Option

Inbound

Outbound

Journal

Description

Enable Inbound / Outbound / Journal Check

Y

Y

Y

Select this option to enable Attachment Protection for Inbound / Outbound / or Journal mail. If selected, some additional fields / options are displayed, as listed below. These can protect against malicious attachments found in mail.

Attachment Protect Delivery Options

Y

N

N

Specify a delivery option for the definition. The options are:

Safe File: Transcribes vulnerable file types to a different file format to ensure they're safe. If selected, the "Administrator Notification" and "Admin Review Group" fields are not displayed.

Safe File with On-Demand Sandbox: Transcribes vulnerable file types to a different file format to ensure they are safe, but allows users to request the original versions via the on-demand sandbox.

Preemptive Sandbox: Checks all vulnerable file types in the preemptive sandbox, before delivering the mail and attachments to the user. This is the only option for ZDR and Metadata Only customers.

Dynamic Configuration: This takes the onus away from the administrator by giving control to users to decide if individual users are added to a trusted list. By default, Safe File with On-Demand Sandbox is used, but for users on the trusted list, Preemptive Sandbox is used.

Ignore Signed Messages

Y

N

N

If selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact but means attachments are not security checked. This option is not displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox'.

Sandbox Fallback Action

Y

N

N

Specify the action to take if an attachment cannot be processed by the sandbox. This option is only displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox". The options are:

Hold for Administrator Review: The message and attachment are placed in the held queue.

Bounce: The message and attachment are accepted, but bounced with a notification to the sender.

Release Forwarded Internal Attachment

Y

N

N

Controls whether any internally forwarded attachment can be released from the sandbox.

Enable Notifications

Y

Y

Y

Enables a group of users to be notified when an attachment is unsafe. If selected, the "Administrator Group" field is displayed. See the Managing Groups page for full details on creating the group.

Administrator Group / Notify Group

Y

Y

Y

Select a group of administrators via the Lookupbutton to receive notifications of any unsafe attachments.

Internal Sender

Y

Y

Y

Sends a notification to the message's internal sender if an unsafe attachment is found.

Internal Recipient

Y

N

Y

Sends a notification to the message's internal recipient if an unsafe attachment is found.

External Sender

Y

N

N

Sends a notification to the message's external sender if an unsafe attachment is found.

Default Transcribed Document Format

Y

N

N

Specify the default file format to be used for safe file document transcription:

PDF

TIFF: This is used if the document cannot be transcribed to the selected format.

Original Format

Default Transcribed Spreadsheet Format

Y

N

N

Specify the default file format to be used for safe file spreadsheet transcription:

CSV: If selected, the 'Spreadsheet Worksheet Options' field is displayed.

PDF

TIFF: This is used if the spreadsheet cannot be transcribed to the selected format.

Original Format

HTML

HTML Multi-Tab:This provides a .zip file that must be extracted. This value is used if the spreadsheet cannot be transcribed to the selected format.

Gateway Action

N

Y

N

Select the action (or fallback action) to take when a message containing an unsafe attachment is detected. The Gateway Fallback Action is only applied if we're unable to check a message's attachment.

None:The message is delivered to the recipients.

Hold:The message is sent to the hold queue, and not delivered to the recipients.

Bounce:The message is rejected, and not delivered to the recipients.

Gateway Fallback Action

N

Y

N

User Mailbox Action

N

Y

Y

Select the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. The User Mailbox Fallback Action is only applied if we're unable to check a message's attachment.

None:No action is taken on the user's mailbox. The message is delivered to the recipients.

Remove Message: The message is removed from the user's mailbox.

Remove Attachment:The message is delivered to the user's mailbox, with the attachment removed.

In non-Exchange environments, automatic remediation isn't supported. However you can leverage detection with a journal connector, and through these alerts perform manual remediation.

Use this option to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it's automatically disabled.

Set Policy as Perpetual

Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.

Date Range

Specify a start and end date for the policy. This automatically deselects the "Eternal" option.

Policy Override

Select this option to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.

Bi-Directional

If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.

Source IP Ranges (n.n.n.n/x)

Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.

Are there plans to introduce more thorough documentation for the attachment protection policy? I'd like to configure it, but there doesn't seem to be as much information available for this as there is for other TTP add-ins.

The policy itself will be straight forward in giving it a name and selecting the definition to use. This article should be updated to include the other options like direction of traffic inspection and IP exemptions but these are pretty standard for most policies.